Ransomware attacks on institutions and companies in the Netherlands

Ransomware is seen as a major and growing issue, and even considered a risk to national security. In a ransomware attack, the attacker infiltrates the victim's IT systems to deny access to the system or files. Often, the files are also encrypted, and nowadays (sensitive) data is sometimes stolen as well. Victims are then only able to regain access to their files by paying a ransom to the cybercriminals. The cybercriminals often pressure victims by threatening to leak the data in order to extort as much ransom money as possible. Currently, there is no complete overview of ransomware attacks on institutions and businesses in the Netherlands and the resulting damage. This lack of understanding of the scale and nature of the phenomenon hinders an effective response to ransomware. Dialogic has therefore conducted research, commissioned by the WODC, to explore what can be said about ransomware attacks on institutions and businesses in the Netherlands in 2020, 2021, and 2022 based on existing data sources. Various data sources were analysed in this research, including those from virus scanning providers, incident response companies, cybersecurity insurers, police reports, and ransomware groups' websites. Although these sources do not provide a clear picture, collectively they offer insights that can lead to a more effective response: - Email (phishing) is the most common method used to infiltrate victims' IT systems. - Ransomware groups mostly publicise attacks on American organisations on their websites. The Netherlands ranks 12th on this list. - Companies in the industrial and financial sectors are the most frequently targeted globally. However, in 2021, there was a doubling of attacks on companies in the ICT sector. - Ransomware attacks are most common among larger companies with a lot of personal data. - Victims are less likely to pay ransoms. However, the average ransom amount paid has increased. - The requested ransom amount is often higher than the eventual financial damage incurred. To establish a reliable and coherent overview, the researchers recommend setting up a central point where various government organisations (who currently hold different pieces of the puzzle) can share data. It is also important to explore under what conditions commercial entities such as insurers, virus scanning providers, and incident response companies are willing to share data. Finally, increasing the willingness of ransomware victims to report incidents is crucial. Reports to the police contain valuable information about the victim's characteristics and the attack, which can then be used in the detection and response to cybercriminals. Read the full report via this link: [Full Report (Dutch)](https://repository.wodc.nl/bitstream/handle/20.500.12832/3292/3375-ransomware-aanvallen-op-instelllingen-en-bedrijven-volledige-tekst.pdf?sequence=1&isAllowed=y)